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(57) Abstract 

The present invention is concerned with systems and methods for using a mobile telephone to automatically log. a computer user onto 
a computer system. A subscriber identification module (SIM) is introduced to the computer system so that the computer system associates 
the SIM with the computer user. The SIM is then inserted into the mobile telephone. When the mobile telephone is powered on the 
user is prompted for a personal identificaUon number (PIN). When the user wishes to log onto the computer system, the user establishes 
a communication channel between the mobile telephone and the computer. The mobile telephone and computer exchange identification 
information and the computer user is automatically logged onto the computer system. 
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MOBILE TELEPHONE AUTO PC LOGON 

RFLATKD APPLICATIONS 
This application is related to, and claims priority from U.S. Provisional 
Patent Application Serial No. 60/109,691, entitted "Mobile Phone Auto PC 
5 Logon", filed on November 24, 1998, the disclosure of which is incorporated here 

by reference. 

PACJKQROTJND 

The Global System for Mobile communication (GSM) describes a European 

10 standard for radiocommunication utilized by the corresponding Public Land 

Mobile Networks (PLMNs) in the region and in many other countries, which 
standard is intended to provide uniformity so that users can access 
radiocommunication systems throughout Europe and many other countries with 
minimal equipment compatibility problems. 

15 In order for mobile telephones to operate in cellular telephone systems, the 

user of the mobile telephone must have a subscription with a network provider. In 
GSM systems, the mobile telephone is identified as having a subscription with a 
network provider through the use of a subscriber identity module (SIM). The SIM 
is a "smart card" comprising a processor and a memory. The SIM is designed 

20 such that it may be removed from one mobile telephone and inserted into another 

mobile telephone with which the user wishes to use her subscription. In GSM the 
SIM is used to protect the mobile network against fraudulent access and to ensure 
subscriber privacy. This is accomplished through authentication of the subscriber 
to prevent access of unregistered users, radio path ciphering, in particular 

25 ciphering of all subscriber information to prevent third party tapping, and 

subscriber identity protection to prevent subscriber location disclosure. 
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In order to protect information stored on computers, authentication 
mechanisms are used to verify that a user of a computer is an authorized user. 
Typical computer authentication mechanisms include a logon identification and a 
password. One way to increase the security of a computer system or network is to 

5 increase the number of characters in logon identifications and passwords. Further, 

some computer systems and networks require that the logon identification and 
password are changed on a regular basis, e.g., every three months. Computer 
users find it difficult to memorize long audientication codes every few months. 
Accordingly, what is needed is a secure way for the user to authenticate a 

10 computer system without having to memorize a logon identification and password. 

SUMMARY 

These and other drawbacks and difficulties found in authentication systems, 
for example computer systems, are overcome according to the present invention. 

15 According to exemplary embodiments of the present invention, a SIM card 

contained in a mobile telephone is associated with a user's computer account using 
a secure technique which exchanges identification information between the 
computer and the SIM. When the mobile telephone is powered on, the user is 
required to enter a Personal Identification Number (PIN). When the user of a 

20 mobile telephone, who has entered the correct PIN comes into conununication with 

a computer, the mobile telephone exchanges the identification information with the 
computer and, if the user is authorized, the user is automatically logged onto the 
computer. Accordingly, the user only needs to memorize a short PIN in order to 
perform the authentication needed to log onto a computer. 

25 In accordance with various embodiment described herein, the 

communication link between the computer and the mobile telephone can comprise 
a short-range wireless radio conununications link, an infrared wireless 
communication link, or a cable connecting the computer and the mobile telephone. 
Alternatively, the conununications link can be established when the mobile 
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telephone is inserted into a telephone battery charger located in proximity to the 
computer. 

Further, exemplary embodiments of the present invention provide a method 
of configuring the mobile telephone and the computer system so the computer 
5 system associates the user of the mobile telephone with a user name and password 

stored in the computer system. 

RUTKF DESCB IPTTON OF THE DRAWINGS 

The foregoing objects, features and advantages of the present invention will 
10 be more readily understood upon reading the following detailed description in 

conjunction with the drawings in which: 

Figure 1 illustrates the authentication system according to an exemplary 
embodiment of the present invention; 

Figure 2 illustrates an exemplary method for configuration of the mobile 
15 telephone and the computer system; 

Figure 3 illustrates an exemplary database record for storage and retrieval 
of a SIM ID and public key associated with a particular subscriber; 

Figure 4 illustrates a exemplary arrangement which allows a mobile 
telephone to logon to a computer system of the present invention; and 
20 Figure 5 illustrates an exemplary method for logging on to a computer 

system using a mobile telephone. 

nFTATT.FT> DESCRIPTION 

25 In the followmg description, for purposes of explanation and not 

limitation, specific details are set forth, such as particular circuits, circuit 
components, and techniques, in order to provide a thorough understanding of the 
present invention. However, it will be apparent to one skilled in the art that the 
present invention may be practiced in other embodiments that depart from these 
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specific details. In other instances, detailed descriptions of well-known methods, 
devices, and circuits are omitted so as not to obscure the description of the present 
invention. 

The exemplary embodiments provide illustrative examples relating to 
5 mobile telephones which operate according to the GSM standard. However, those 

skilled in the art will appreciate that the concepts disclosed herein are equally 
applicable to mobile telephones which operate according to other standards. 
Likewise, some of the exemplary embodiments provide ilhistrative examples 
relating SIM cards for providing subscriber identification information, however, 
10 the techniques described herein are equally applicable to other methods of 

providing subscriber identification information in a mobile telephone. 

Figure 1 illustrates an exemplary embodiment of the hardware which is 
used to implement the present invention. A user mserts SIM 120 into mobile 
telephone 1 10. SIM 120 provides information necessary for the mobile telephone 
15 110 to operate in the mobile network. When the mobile telephone 110 is powered 

on, the user is prompted for a PIN which would allow the user to operate the 
telephone. If the PIN entered by the user matches the PIN stored in SIM 120, then 
the user is able to operate mobile telephone 110. 

Computer 140 can be any type of computer such as a "Wintel" computer 
20 comprising an Intel processor and using a Microsoft Windows operating system. 

However, one skiUed in the art will recognize that the computer could also use 
processors made by any manufacmrer, e.g.. Cyrix or AMD, Motorola, and any 
type of operating system, e.g., Unix and Apple's Macintosh operating system. 
Typically, for a user to access the operating system and application files which are 
25 stored on computer 140. the user must be logged onto the computer 140. Typical 

logon procedures include a graphical user interface form with blanks for a user to 
enter a logon identification and a password. Once a user has enter the correct 
logon identification and password the user will be logged onto the computer 140. 
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In order for a user to implement the present invention, the computer system 
and the mobile telephone can be configured such that the user account or identity 
of mobae telephone 110 is associated with a user account or identity of the 
computer 140 (or a computer network). More specifically, SIM 120 will be 
5 associated with the account of a user of computer 140. According to an exemplary 

embodiment of the present invention, computer 140 runs Windows NT and the 
SIM can run programs written in the Java programming language. 

Figure 2 illustrates an exemplary method for configuration of the system. 
Accordingly, in step 205 the mobile telephone is set in a mode wherein 
10 information can be written into the SIM, e.g. , the SAT configuration mode. 

According to an exemplary embodiment of the present invention, SIM 120 
contains a SIM application toolkit (SAT). SAT is a development environment 
incorporated in the GSM standard for writing programs which run on SlMs. To 
install the program which generates the public and private keys onto SIM 120, 
15 SIM 120 is inserted into smart card reader/writer 150. One skilled in the art will 

recognize that smart card reader/writer is only needed to install the programs 
which run on SIM 120, e.g.. the program which generates public and private keys. 
Accordingly, to automatically logon to a PC according to the present invention 
does not require each computer to have a smart card reader/writer. The mobile 
20 telephone can be set in the SAT configuration mode by selecting the configure 

SAT option from the menu of functions available on the mobile telephone and by 
entermg the correct PIN, i.e., an administrative PIN used for configuration of the 
mobile telephone. Alternatively, the PIN used for setting the mobile telephone in 
the SAT configuration mode may be the same PIN used to activate the mobile 

25 telephone. 

In step 210, the computer 140 generates a set of public and private keys. 
The public key is stored in an administrative database in computer 140, or in a 
computer network, in accordance with step 215. Figure 3 illustrates a purely 
exemplary database record for storage and retrieval of a SIM ID and public key 
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associated with a particular user. In step 220, the private key is stored on the SIM 
120. In addition the various parameters for coding data transferred between the 
mobile telephone 110 and the computer 140. are stored on the SIM 120, in 
accordance with step 225. The various parameters are the numbers used in the 
5 RSA algorithm, e.g. , two prime numbers. 

Once the system has been configured to associate the SIM with one or more 
user accounts/identities of the computer system and the user of mobile telephone 
1 10 has entered the PIN into the mobUe telephone 1 10, the user may automaticaUy 
log onto computer 140. Accordingly, the user will engage a communications link 
10 between mobUe telephone 110 and computer 140 to transfer authentication/identity 

information there between. According to an exemplary embodiment, the 
communication link between mobile telephone 1 10 and computer 140 is established 
via short range radio communications technology such as "Bluetooth" which is 
described in "Bluetooth-The Universal Radio Interface for Ad Hoc, Wireless 
15 Comiectivity" by Jaap Haartsen, Ericsson Review, No. 3, 1998, which is herein 

incorporated by reference. Of course those skilled in the art will appreciate that 
any other type of communication link can be employed. According to the 
exemplary embodiment using "Bluetooth", the user need only enter an area within 
the radio range of the computer for a communications link to be engaged between 
20 the mobile telephone and the computer. According to this embodimem. computer 

140, has a communication unit 130 attached to it. in order to communicate via the 
short range radio communications. 

Figure 4 illustrates an exemplary arrangement which allows a mobile 
telephone user to logon to a computer system according to the present invention. 
25 Computer 405 is running an operating system 450, wherein one of tiie components 

of tiie operating system is resource manager 410. A smart card device driver 415 
interfaces between the operating system 450 running on computer 405, and SIM 
430, as illustrated in figure 4. In an exemplary embodhnent, computer 140 is 
running an operating system which uses Microsoft Smart Card Technology. 
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Microsoft Smart Card Technology is currently available for the following 
operating systems, Microsoft Windows 95, Windows 98, NT 4 and NT 5. 
Additionally, future versions of Microsoft operating systems are expected to 
support the Smart Card Technology. Smart Card Technology uses a resource 
manager to manage and control all applications access to the smart card. 
Microsoft Smart Card Technology is described in "Smart Cards White Paper", 
Microsoft Corporation, April 24, 1998, which is herein incorporated by reference. 
Although an exemplary embodiment of the present invention is described hereto 
with reference to the Wmdows NT operating system, one skilled in the art will 
recognize that the present invention can be implemented using any type of 
operating system which has the ability, or can be modified, to communicate with 
smart cards. Device driver 415 and resource manager 410 are components of the 
Smart Card Technology. Accordingly, one skilled in the art wUl recognize that in 
other operating system environments, the operating system components responsible 
for logon will perform fimctions similar to those described herein with regard to 
the device driver 415 and the resource manager 410. Device driver 415 
communicates with mobile telephone 425 through communications link 420. 
Identification and authentication information are exchanged between SIM 430, via 
mobile telephone 425, and the computer 405, via device driver 415. Accordmgly, 
device driver 415 translates information received fi^om mobile telephone 425 into a 
form which is compatible with resource manager 410, and also translates data firom 
resource manager 410 into a form which mobile telephone 425 can convey to SIM 
430. 

An exemplary method for loggmg onto a computer system using a SIM in a 
mobile telephone is illustrated in Figure 5. In step 510, one of the computer and 
the activated mobile telephone recognize a proximity to the other. According to 
one exemplary embodiment this is accomplished by the computer detecting a short 
range signal emitted by the mobile telephone. Alternatively, the mobile telephone 
can detect a short range signal emitted by the computer. In step 515, the computer 
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determines whether a mobile telephone has been found. If the computer does not 
find a mobile telephone, in accordance with the "NO" path out of decision step 
515, then the computer returns to step 510 to search for a mobile telephone. If a 
mobile telephone is found by the computer, in accordance with the "YES" path out 
5 of decision step 515, then components of the smart card technology on the 

Wmdows NT computer sends an instruction to the mobile telephone to activate the 
authentication application in die SIM. in accordance with step 520. 

In step 525, the computer queries the mobile telephone using an AT 
command to determine whether the detected mobile telephone has the capability of 
10 generating a digital signature and whether such capability has been activated in the 

mobile telephone. AT stands for attention, and AT conunands are standard 
commands used for serial communication with computers. The digital signature is 
a string of bits which is produced by the RSA algorithm using the private key and 
a random string of bits. The digital signature is used to uniquely, and securely, 
15 identify the mobile telephone. According to an exemplary embodiment of the 

present invention, the mobile telephone will have an option on one of its menus to 
activate and deactivate the sending of a digital signature. If the digital signature 
capability is not activated, in accordance with the "NO" path out of decision step 
525, then the system returns to step 510 and the computer continues to search for 
20 mobile telephones. 

If the digital signature capability has been activated by the mobile 
telephone, in accordance with the "YES" path out of decision step 525, then the 
smart card driver 415 sends an AT command to the mobile telephone requesting 
the SIM ID number, ui accordance with step 530. After the SIM ID is returned 
25 from the mobile telephone to the computer, the smart card driver 415 notifies the 

resource manager 410 that a SIM card is mserted in the mobile telephone. The 
resource manager 410 notifies a graphical identification and authentication 
dynamic-link library (GINA) that a card is inserted, in accordance with step 550. 
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GINA allows developers to implement smart-card authentication mechanisms in 
place of the. standard Windows NT user name and password authentication. 

In step 560, GINA retrieves the authentication information from the SIM, 
Step 560 involves GINA calling the Crypto applications program interface 

5 (CryptoAPI), which results in data transfer between the card and the smart card 

driver. This data transfer involves the smart card driver sending (via a transceiver 
device connected to computer 405), a random pattern of bits to the SIM. This 
information can, for example, be stored in the SMS (short message service) 
memory of the mobile telephone. The SIM card m the mobile telephone encodes 

10 the random data using the RSA algorithm and with the private key. The coded 

data, i.e., the digital signature, is sent back to the smart card driver. The 
encrypted random bits are decrypted by either the smart card driver or the 
CryptoAPI service provider using the SIM's public key. The decrypted random 
bits are compared to the transmitted random bits, in accordance with step 570. If 

15 the data matches then the user is logged onto the computer in accordance with step 

580. The logon procedure of step 580 is completed by GINA in cooperation with 
other components of the authentication system, e.g., LAN Security Architecture 
(LSA), Kerbos, Key Distribution Center (KDC). 

Although the description above describes logging onto a computer, one 

20 skilled in the art will recognize that the invention is equally applicable to logging 

onto computer networks or any device which requires authentication. Further, 
although communications unit 130 is shown as a separate peripheral from 
computer 140, one of ordinary skill in the art will recognize that communications 
unit 130 can be incorporated in a PC card design and mounted inside of computer 

25 140. In addition, although the exemplary embodiments describe the use of a PIN 

to activate the mobile telephone, the mobile telephone can also be activated by 
conventional voice activation systems. 

Although the exemplary embodiment is discussed wherein the 
communications link between computer 140 and mobile telephone 110 is a radio 
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communications link, the present invention can be practiced with any type of 
communications link between the computer and mobile telephone. Accordingly, 
the communications link may be a cable attached between the two devices, e.g., an 
RS-232 cable. Alternatively, the communications link may be an IrDA link, i.e., 

5 an injfrared link whose standards are defined by the Infrared Data Association. 

According to an exemplary embodiment, the authentication could be performed 
when the mobile telephone 110 is inserted into a cradle which recharges the mobile 
telephone's battery. In addition to being connected to a power source, the cradle is 
connected to the computer through any of the various communications links 

10 described herein. Additionally, when a user of the mobile telephone, who has 

already logged onto a computer, moves out of range of the computer, the user may 
be automatically logged off of the computer. Alternatively, when the mobile 
telephone moves out of range a password protected screen saver could be initiated 
to protect the computer users data. 

15 While the present invention has been described using the forgoing 

exemplary embodiments, these embodiments are intended to be illustrative in all 
respects, rather than restrictive of the present invention. Thus, the scope of the 
present invention is instead set forth by the appended claims and encompasses any 
and all equivalents and modifications embraced thereby. 
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AywAT IS n AIMED IS: 

1. A method for logging onto a computer comprising the steps of: 
establishing a communications channel between a mobile telephone and the 

5 computer; 

exchangmg identification information between the mobile telephone and the 
computer; and 

logging a user of said mobile telephone onto the computer when the 
identification information is verified by the computer. 

10 

2. A method in accordance with claim 1 , further comprising the steps of: 
entering a personal identification number when the mobile telephone is 

powered on; and 

activating the mobile telephone if the entered personal identification number 
15 matches a personal identification number stored on a subscriber identity module in 
said mobile telephone. 

3. A method in accordance with claim 1 comprising the step of 
associating the mobile telephone with the user of the computer. 

20 

4. A method in accordance with claim 3, wherein said step of associating the 
mobile telephone comprises the steps of: 

setting the mobile telephone into a configuration mode; 
generating public and private keys; 
25 storing the public key in a database on said computer; and 

storing the private key and coding data on a smart card in said mobile 
telephone. 
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5. A method in accordance with claim 1, wherein said step of establishing 
a communications channel comprises the steps of: 

searching for a mobile telephone; and 

determining whedier a digital signature capability is present in the mobile 
telephone and whether the digital signature capability has been activated in said 
mobile telephone. 

6. A method in accordance with claim 1. wherein the step of exchanging 
identification information comprises the steps of: 

retrieving an identification number associated with a smart card; 

notifying die computer that the smart card is inserted in the mobile telephone; 

and 

retrieving authentication information from said smart card. 

7. A method in accordance with claim 1 , wherein the conununications channel 
is a radio communications link. 

8. A method in accordance with claim 1, wherein the communications channel 
is an infrared link. 

9. A method in accordance with claim 1 , wherein the communications channel 
is a cable connecting the mobile telephone and the computer. 

10. A method in accordance with claim 1, wherein said communications 
channel is established when the mobile telephone is inserted into a battery charger, 
and wherein said battery charger is connected to the computer via said 
communications channel. 



wo 00/31608 



• 



PCT^E99/02115 



-13- 



10 



15 



20 



11. A system for logging onto a computer comprising: 
a mobile telephone; and 

a communications link between said mobile telephone and said computer, 
wherein a user of said mobile telephone is logged onto said computer through an 
authentication procedure which is performed over said communications Imk. 

12. A system according to claim 1 1 , wherein said mobile telephone includes a 
subscriber identity module (SIM). 

13. A system according to claim 1 1 . wherein said card is a smart card. 

14. A system according to claim 11, wherein said conununications link is a 
radio communication link. 

15. A system according to claim 11, wherein said conununications link is a 
cable connecting the mobile telephone and the computer. 

16. A system according to claim 11, wherein the authentication procedure 
involves the mobile telephone coding random bits transmitted from the computer, and 
wherein the mobile telephone transmits the encoded random bits to the computer. 

17. A system according to claim 16, wherein said mobile telephone codes the 
random bits using a private key, and wherein the computer decodes said encoded 
random bits using a public key. 

18. A method for automatically logging a mobile telephone user onto a 
computer network comprising the steps of: 

searching for a mobile telephone from a computer connected to said computer 

network; 
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determining, by said computer, whether the mobile telephone has been set in 
an automatic logon mode; 

checking, by said computer, an identification number of the mobile telephone; 

performing an authentication procedure between the mobile telephone and the 
computer. 

19. A method in accordance with claim 18, wherein the mobile telephone is 
set in an automatic logon mode if a digital signature capability is present and is 
activated in the mobile telephone. 

20. A method in accordance with claim 18. wherem the identification number 
is a subscriber identification module number stored on a smart card in the mobile 
telephone. 



15 21. A method in accordance with claim 18, wherein the step of checking an 

identification number of the mobile telephone comprises the step of: 
retrieving the identification number using an AT command. 

22. A method in accordance with claim 18, wherein the authentication 
20 procedure comprises the steps of: 

notifying an operating system component which is responsible for logon that a 
card is inserted in the mobile telephone; 

retrieving and analyzing authentication information from the card; and 
logging the user onto the computer if the authentication information is valid. 



25 



23. A method in accordance with claim 22, wherein the step of retrieving and 
analyzmg authentication information comprises the steps of: 

sending a random string of bits to the mobile telephone; 
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encoding, in the mobOe telephone, the random string of bits with a private 

key; 

returning the encoded random string of bits to the computer; and 
decoding, in the computer, the encoded string of bits using a public key. 

5 

24. A method in accordance with claun 23, wherein the authentication 
information is valid when the string of bits decoded by the public key matches the 
random string of bit sent to the mobile telephone. 

10 25. A method in accordance with claim 18, wherein the computer and the 

mobile telephone exchange information through a wireless communication channel. 

26. A method in accordance with claim 25, wherein the wireless 
communication channel is a short range radio frequency channel. 

15 

27. A method in accordance with claim 25, wherein the wireless 
communication channel is an infrared communications channel. 

28. A method in accordance with claim 18, wherein the computer and the 
20 mobile telephone exchange information through a cable. 

29. A method in accordance with claim 18, further comprising the step of: 
automatically logging the user off of the computer network when the mobile 

telephone is a predetermined distance from said computer, wherein the predetermined 
25 distance is a range of a radio signal produced by the computer. 



30. A method in accordance with claim 18, further comprising the step of: 
initiating a password protected screen saver on the computer when the mobile 
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telephone is a predetermined distance from said computer, wherein the predetermined 
distance is a range of a radio signal produced by the computer. 
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